Self-attribution as strategy in the Russo-Ukrainian War

On 25 July 2025, Ukraine’s Main Directorate of Intelligence (HUR) announced that it had gained full access to servers used by the Russian occupation administration in Crimea, several days after initiating the operation with a DDoS attack around July 23. Over the following two days more than 100 terabytes of documents were exfiltrated – equivalent to millions of files – in an incident confirmed by Russian officials. The operation was not kept in the shadows: the HUR itself publicised the breach, presenting screenshots and obtained files as proof, including materials on the abduction of Ukrainian children to Russia. By openly claiming responsibility, Ukraine’s military intelligence service humiliated Moscow and turned self-attribution into a weapon of visibility and strategic communication.

Since 2023, the HUR has emerged as a visible cyber actor in the Russo-Ukrainian war. Its operations, conducted with affiliated groups and volunteers, are marked by an unusual degree of transparency. Differing from the typical intelligence community practice of emphasis on secrecy and (im)plausible deniability, the HUR has adopted rapid self-attribution: it claims responsibility, publishes supporting evidence, and engages with domestic and foreign media. This practice makes self-attribution a deliberate instrument of wartime strategy. It combines disruption of the enemy with information operations and legitimacy-building, but it also risks operational exposure and credibility loss. The significance of this approach becomes clearer when viewed against the scale and impact of the HUR cyber operations.

 Scale and impact of HUR cyber operations

Since the beginning of the large-scale Russian invasion of Ukraine in February 2022, the HUR is reported to have directed more than one hundred high-level cyber operations inside Russian-controlled territory. According to official Ukrainian accounts, these operations have extracted substantial quantities of classified material from Russian systems, disrupted the command-and-control structure of the Russian military, and, recently, disabled platforms handling fuel card payments and telecom systems critical to the Russian war effort

These operations do not take place in isolation. The HUR cooperates with a range of affiliated groups, including established networks of cyber specialists as well as informal hacktivist communities. The Cyber Alliance, composed of experienced volunteers, claims to have carried out intrusions, intercepted communications, and published sensitive Russian material to undermine the Kremlin’s war effort. Active since 2016, the group has played a long-standing role in Ukraine’s cyber domain. The Black Owl (BO) Team, which has operated since early 2024, is described as responsible for penetrating Russian military and industrial systems; Russian cybersecurity company Kaspersky has described it as a major threat. Another hacker group, Laska, was awarded a Ukrainian military decoration in March 2025 by Lieutenant General Kyrylo Budanov, chief of the HUR. Beyond these examples, larger networks of citizen hackers and cyber volunteers provide supporting roles, often coordinated through HUR-run Telegram bots and channels. 

In 2025, the HUR has notably escalated its cyber operations. The service publicly claimed responsibility in June for breaching the systems of Russian strategic bomber developer Tupolev, stealing over 4.4 GB of sensitive files and defacing its website. In July, they hacked the occupation administration in Crimea. Further operations targeted critical suppliers such as Gazprom and the Gaskar Group, a UAV producer, with the reported outcome of paralysed systems and disruptions to logistics chains essential for Russian military production. 

In early August, the HUR released technical and operational documents on the Borei-A-class nuclear submarine, K-555 Knyaz (Prince) Pozharsky. Commissioned on 24 July in the presence of President Putin, the vessel’s combat instructions, crew lists, and procedures were soon online. The HUR framed the leak as evidence of vulnerabilities across the class, though it remains unclear whether the files came from hacking or other means. Regardless, the disclosure undercut the commissioning’s symbolic prestige and reflected the HUR’s strategy of publicising sensitive Russian military information.

Proof, performance, and the logics of visibility

What ties all these operations together, despite their differences in scale, is the HUR’s practice of open attribution. Whereas most intelligence services rely on ambiguity to conceal methods and deter reprisals, the HUR frequently issues public claims of responsibility within hours or days of an operation. Such announcements are typically accompanied by material intended to bolster credibility: screenshots of internal systems, snippets of stolen files, or images of defaced websites. 

Several mechanisms underpin this attribution strategy. First, the HUR maintains an active public relations posture, with spokespersons engaging directly with Ukrainian and international media outlets. Second, the agency operates an official Telegram channel and other social media accounts that disseminate evidence, intercepts, and updates. Finally, the HUR regularly engages in doxing, releasing detailed personal data of Russian military or intelligence personnel as part of a broader effort to deter adversaries and signal reach into sensitive systems. 

The combination of official channels and outlets of affiliated groups such as the Cyber Alliance and BO Team gives the HUR’s operations a participatory dimension. Telegram bots allow civilians to submit information and receive updates, creating a sense of shared responsibility and blurring the boundaries between formal state intelligence activity and grassroots mobilisation. The resulting system is a hybrid of professional cyber operations and hacktivist signalling, where self-attribution serves both strategic and performative functions.

Credibility, legitimacy, and the limits of transparency

This public attribution enhances visibility but exposes Ukraine to risks. Disclosing tactics and technical proof allows Russian defenders to adapt, while involving affiliated groups increases the chance of leaks or compromise. Each release may reveal tools, signatures, or exploited vulnerabilities that adversaries can patch or monitor. Escalation is another concern: highly visible operations invite retaliation, and Moscow has already used Ukrainian claims to justify strikes against military networks and civilian infrastructure.

Credibility and legitimacy also remain fragile. Because most disclosures cannot be independently verified, Russia dismisses them as propaganda, and any error could erode trust. Publishing operational details risks exposing human or technical sources, complicating cooperation with partners and endangering volunteers. From a legal perspective, the evidentiary value of such material is uncertain, while attacks on dual-use or critical infrastructure may cause humanitarian or diplomatic fallout if essential services are disrupted. 

Changing norms: Self-attribution as an instrument of war

Nevertheless, the HUR’s cyber campaign points to changes in intelligence practice during conflict. By combining state capabilities with volunteer contributions, it blurs the boundary between official services and hacktivists, creating coordination challenges for partners. Western intelligence services accustomed to cautious attribution may view Ukraine’s rapid disclosures as problematic, particularly when they precede consultation or involve shared intelligence.

Whereas Western debates on ‘loud cyber’ frame openness primarily as a tool of deterrence, Ukraine employs visibility as an instrument of strategic communication and mobilisation. In doing so, it undermines Russian claims of control, sustains domestic morale, and keeps international attention on the war.

The broader implications remain contested. Ukraine’s experiment may represent a wartime exception, tailored to the needs of survival and mobilisation, or it could signal the emergence of new attribution norms in cyber conflict. Either way, it demonstrates that self-attribution can function as both a weapon of war and a tool of (political) legitimacy, reshaping expectations of how intelligence agencies operate in public view.